"The old attack would involve a single user who wanted to lockout another individual or group of individuals by entering multiple unsuccessful passwords. The goal isn’t to guess the password, but to lock the account by sending multiple unsuccessful login attempts. Now, if this user was particularly malicious he could try to enumerate all of the usernames for an online system and then use a script to lock out all of the users.")

This attack is certainly a problem for authentication sites that utilize standard username/password authentication with a "failed logon attempts" check mechanism. The MultiFactorSecureAuth product addresses this type of attack.

In a scenario where the SecureAuth solution is utilized, the legitimate user or attacker is never even prompted for the password unless the user first can input:

b) The user had first registered the browser, in a Secure out-of-band method (Image #2 and Image #3):

- Telephony (Cell Phone or Land) One-Time-Password (OTP)

- SMS Text Message OTP

- E-mail OTP

(Image #2)

(Image #3)

In effect, only a user that has establish a reasonable set of "credibility" is even allowed to input a browser. (E.G., be in possession of the user's cell or land line or have access to a non-exportable key on the user's browser.) Neither a hacker nor an automated bot - would meet this criteria.

Thus by deploying SecureAuth, an enterprise takes a large step in mitigating "Account Lockout Attack".

We encourage all security analysts and security professionals to run the demo on our public site:

---------------Garret Grajek is the president and co-founder of MultiFactor Corporation.He is a certified security engineer who has deployed 100s of security solutions while working for RSA, IBM, Cisco and others.